Remove /home and unused top-level dirs. Make /var encrypted with tpm2.

2024-11-16 22:11:35 +01:00 · 2024-11-16 22:11:35 +01:00 · 902c3eddf3
commit 902c3eddf3
parent 9b6a5d9199
7 changed files with 46 additions and 37 deletions
--- a/modules/image/default.nix
+++ b/modules/image/default.nix
@ -51,11 +51,16 @@
      Label = "_empty";
      ReadOnly = 1;
    };
-    "40-home" = {
-      Type = "home";
+    "40-var" = {
+      Type = "var";
+      UUID = "4d21b016-b534-45c2-a9fb-5c16e091fd2d"; # Well known
      Format = "btrfs";
-      SizeMinBytes = "512M";
+      Label = "patos-state";
+      Minimize = "off";
+      FactoryReset = "yes";
      Encrypt = "tpm2";
+      SizeMinBytes = "2G";
+      SplitName = "-";
    };
  };

@ -99,10 +104,21 @@
    "roothash=${config.system.build.verityRootHash}"
  ];

-  fileSystems."/var" = {
-    fsType = "tmpfs";
-    options = [ "mode=0755" ];
-  };
+  fileSystems =
+    let
+      parts = config.systemd.repart.partitions;
+    in
+    {
+      "/var" = {
+        fsType = parts."40-var".Format;
+        device = "/dev/mapper/var";
+        encrypted = {
+          enable = true;
+          blkDev = "/dev/disk/by-partuuid/${parts."40-var".UUID}";
+          label = "var";
+        };
+      };
+    };

  # Required to mount the efi partition
  boot.kernelModules = [
@ -111,10 +127,10 @@
    "nls_iso8859-1"
  ];

-  # Store SSH host keys on /home since /etc is read-only
+  # Store SSH host keys on /var/lib/ssh since /etc is read-only
  services.openssh.hostKeys = [
    {
-      path = "/home/.ssh/ssh_host_ed25519_key";
+      path = "/var/lib/ssh/ssh_host_ed25519_key";
      type = "ed25519";
    }
  ];
@ -126,8 +142,4 @@

  # Refuse to boot on mount failure
  systemd.targets."sysinit".requires = [ "local-fs.target" ];
-
-  # Make sure home gets mounted
-  systemd.targets."local-fs".requires = [ "home.mount" ];
-
 }
--- a/modules/image/ssh.nix
+++ b/modules/image/ssh.nix
@ -19,8 +19,8 @@

    systemd.services."default-ssh-keys" = {
      script = ''
-        mkdir -p /home/admin/.ssh/
-        cat /efi/default-ssh-authorized-keys.txt >> /home/admin/.ssh/authorized_keys
+        mkdir -p /var/home/admin/.ssh/
+        cat /efi/default-ssh-authorized-keys.txt >> /var/home/admin/.ssh/authorized_keys
      '';
      wantedBy = [
        "sshd.service"
@ -28,8 +28,8 @@
      ];
      unitConfig = {
        ConditionPathExists = [
-          "/home/admin"
-          "!/home/admin/.ssh/authorized_keys"
+          "/var/home/admin"
+          "!/var/home/admin/.ssh/authorized_keys"
          "/efi/default-ssh-authorized-keys.txt"
        ];
      };